rule Linux_Exploit_CVE_2017_16995_0c81a317 {
    meta:
        author = "Elastic Security"
        id = "0c81a317-b296-4cda-839c-a37903e86786"
        fingerprint = "40d192607a7237c41c35d90a48cbcfd95a79c0fe7c8017d41389f15a78d620f5"
        creation_date = "2021-01-12"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.CVE-2017-16995"
        reference_sample = "48d927b4b18a03dfbce54bb5f4518869773737e449301ba2477eb797afbb9972"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 55 48 89 E5 48 89 7D F8 48 8B 45 F8 48 25 00 C0 FF FF 5D C3 55 48 }
    condition:
        all of them
}

rule Linux_Exploit_CVE_2017_16995_82816caa {
    meta:
        author = "Elastic Security"
        id = "82816caa-2fff-4b71-9544-443e611aacbf"
        fingerprint = "1a716566946fdd368230c02e2c749b6ce371fa6211be6b3db137af9b117bec87"
        creation_date = "2022-01-05"
        last_modified = "2022-01-26"
        threat_name = "Linux.Exploit.CVE-2017-16995"
        reference_sample = "14e6b788db0db57067d9885ab5ff3d3a5749639549d82abd98fa4fcf27000f34"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { BC 89 45 C0 8B 45 B8 48 98 48 C1 E8 03 89 45 C4 48 8B 45 B0 48 }
    condition:
        all of them
}

rule Linux_Exploit_CVE_2017_16995_5edb0181 {
    meta:
        author = "Elastic Security"
        id = "5edb0181-dfb1-47e2-873b-0fa3043bee67"
        fingerprint = "804635a4922830b894ed38f58751f481d389e5bfbea7a50912763952971844e6"
        creation_date = "2022-01-05"
        last_modified = "2022-01-26"
        threat_name = "Linux.Exploit.CVE-2017-16995"
        reference_sample = "e4df84e1dffbad217d07222314a7e13fd74771a9111d07adc467a89d8ba81127"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { F8 2F 77 0F 45 89 C2 49 89 D1 41 83 C0 08 4A 8D 54 15 D0 48 }
    condition:
        all of them
}

